Combining Java encryption technology with Windows

The public key encryption technology requires a space for storing digital certificates and private keys. The Java security architecture implements a platform-independent encryption technology by storing keys and certificates in a file (called KeyStore).

Microsoft Windows stores keys and certificates in the Windows registry and the file system. This means that a user who runs a secure Java program on a Windows system must enter and output keys and certificates between Java and Microsoft's keys and certificate libraries. The good news is that you can "trick" Java applications through Microsoft's local functions to use Microsoft's certificates and key libraries.

By combining your Java application with the Windows key/certificate library, you sacrifice platform independence, but you get four benefits: reduced management and support costs, more user-friendly, better certificate revocation checking, and better key and certificate management tools.

A Java program must implement the integration with Windows encryption through four different classes: · TrustManager Provider: This class is used to integrate with the Windows Certificate Library and implement security policies.

· Keymanager Provider: This class is used to integrate with the Windows private key library.

· RSA Signature Provider: Digital signatures require access to the private key library. If the Java program cannot read the private key (for example, if the private key exists on an encrypted smart card), then the signature operation must be done in Windows.

· RSA Cipher Provider: Decrypting RSA encrypted data (such as the cryptographic Sockets Layer (SSL)-symmetric key) requires access to the private key library. If the Java program cannot read the private key (for example, if the private key exists on an encrypted smart card), then the RSA decryption operation must be done in Windows.

I will describe the use of TrustManager Provider, Keymanager Provider, RSA Signature Provider, and RSA Cipher Provider that are integrated with the Windows platform. TrustManager and Keymanager allow you to build a Java Secure Socket Extension (JSSE) application that you can run with Windows support. Jsse sample Programs--echoserver and echoclient can prove this. You cannot overwrite Jsse's built-in RSA Cipher Provider, so the Jsse application can run only if the private key can be exported from the Windows KeyStore.

If you are writing a Java application that uses RSA signatures or RSA encryption, you can use the RSA Signature Provider and cipher Provider supported by Windows. This does not require the private key to be exported from the Windows KeyStore. For the other three providers (provider), you can use each of them individually.

The code is developed with Beta JDK 1.4.0-RC and is stable. However, we intend to develop this code as a framework for further development. Before you use this code in a production environment, you should improve exception handling, making sure that there is no memory leak in your local code and minimizing the exposure of the key. In order to test the code, you need an RSA digital certificate. You can get a temporary certificate from the VeriSign website Www.verisign.com/client/enrollment, which is valid for 60 days. Follow the guidelines on this site for specific actions. Do not select the box labeled "Protect your Private Key." Because this box is not selected, your private key can be exported.

The following code initializes four providers:

MSTrustMgrProvider.install（）;
MSKeyMgrProvider.install（）;
MSRSASignProvider.install（）;
MSRSACipherProvider.install（）;
kmf = KeyManagerFactory
.getInstance（"MSKMF"）;
tmf = TrustManagerFactory.
getInstance（"MSTMF"）;
Cipher cipher =
Cipher.getInstance（
"RSA/ECB/PKCS1Padding"）;
Signature rsa =
Signature.getInstance（
"SHA1withRSA"）;